A: We have developed two sample letters for use in directing your patients on how you are handling the Coronavirus situation. These are templates which must be customized to your situation. We advise all practices to review your policies and educate your staff as you consider system changes.
A: This CMS document provides recommendations to limit those medical services that could be deferred, such as non-emergent, elective treatment and preventive medical services for patients of all ages. Be aware that some states and municpalities have enacted executive orders with stricter guidelines and definitions of non-essential medical services. If you have questions, check with your state or loacal government websites and/or Board of Medical Examiners.
A: Previously, Business Associates (BAs) could only release patient information under the direction of the Covered Entity. On April, 2, 2020, the OCR provided notice, they are relaxing those requirements on BAs so they can release pertinent COVID-19 related information in the interest of public health. The notice specifically states:
OCR will exercise its enforcement discretion and will not impose penalties against a business associate or covered entity under the Privacy Rule provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) if, and only if:
A: The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization under certain circumstances. This link provides the document that specifies when it is acceptable to disclose PHI to first responders.
A: HIPAA Privacy and Security rules are still in effect, and for the most part have not been waived or relaxed.
In regards to telehealth (telemedicine), the Office for Civil Rights (OCR) has recently provided notice stating they will waive penalties for any potential HIPAA violations by healthcare providers who use everyday communications technologies such as FaceTime, Skype, Facebook Messenger video chat, Google Hangouts video chat, and similar private-facing platforms during the Coronavirus crisis for telehealth services. The OCR has also indicated platforms such as Facebook Live, Twitch, TikTok, and similar video services are considered public-facing and should NOT be used for telehealth services.
These relaxations for telehealth (telemedicine) are only for the remote treatment of patients through one-on-one communication technologies. Staff should continue following all Privacy and Security policies and procedures for protecting the privacy, security, and integrity of patient information, whether from the office or from home. Please see the FAQ on employees working from home for additional information on protecting patient information for those working from home.
HHS has a decision tool to walk you through the process of determining when, what, and how PHI may be disclosed in a Public Health Emergency. These appropriate disclosures would be:
In light of the COVID-19 pandemic, the Substance Abuse and Mental Health Services Administration (SAMHSA) has provided guidance stating, as determined by the provider, a medical emergency exists, healthcare providers may use their own judgement when disclosing substance use disorder records to other providers for treatment purposes when a medical emergency exists. This is typically a disclosure that is not permitted without written patient consent, but SAMHSA has relaxed this requirement during the current crisis. SAMHSA emphasizes that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.
https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2-guidance-03192020.pdf
These current relaxations, while they do not have an expiration date, are not permanent and will more than likely revert to previous guidance once the current State of Emergency passes.
A: Patients should be aware that there is mandatory reporting of COVID-19 to the Department of Health, but that is still confidential. The health department takes over once reported, but the physician offices still have to maintain confidentiality.
A: From a HIPAA standpoint, employees should treat patient information with the same privacy and security as they would in the office. The current relaxation of Security guidelines only relates to Telehealth. Practices must include employees working remotely to their Security Risk Analysis in order to remain compliant. Additionally:
A: There are no new requirements for employers. The Occupational Safety and Health Act (OSHA) has always required employers, including medical practices, to assure safe and healthful working conditions. OSHA’s Guidance on Preparing Workplaces for COVID-19 can be found here.
A: Each situation should be handled on a case-by-case basis. Use the CDC guidelines found here.
A: The CDC has provided dedicated resources to help with strategies to bring healthcare personnel with confirmed COVID-19, or who have suspected COVID-19, back to the workplace. This link, updated on April 13, 2020, has criteria and cautions every practice should consider as they bring back employees.
A: The CDC has provided contingency and crisis strategies based on assumptions of current CDC recommendations for medical practices. Strategies for Optimizing the Supply of Disposable Medical Gloves.
Our team is here to answer any questions you might have or to help you fill out a quote application.